NIGC’s Tim Cotton looks back — and forward — at cyber crime

Tuesday, October 29, 2024 12:24 PM
Photo:  Shutterstock
  • David McKee, CDC Gaming

In the past five years, as cyber security has become a hot-button issue in gaming and Indian Country alike, the man taking the point is often Tim Cotton, IT audit manager for the National Indian Gaming Commission (NIGC). A graduate of Langston University, Cotton joined the agency a decade ago and has 20 years’ experience in information technology.

Cotton came to the fore a few years ago, as the pandemic coincided with an explosion in cyber assaults on tribal casinos. Three years on, how is the industry coping?

“When you start to think about tribes and what they can be doing better, multi-factor identification is one area that could be honed,” Cotton responded. “If they’re not there, they could be looking toward that.”

Another area he identified for improvement was regulatory compliance. “What are your controls like? When a regulatory body comes in and performs audits and assessments, it’s going to be more about, ‘How are you holding the line?’” he explained.

The NIGC is helping tribal gaming operators leverage cybersecurity measures to prevent manipulation of games. Cotton said that the existing regulations, especially those involving IT, are “all about protecting those tribal assets by any means necessary.”

He specifically cited NIGC vulnerability assessments, which entail looking at networks or performing services. “This is not a requirement,” he clarified. “We can come in and show them from a network perspective, ‘This is what you’re looking at.’” Cotton added that the NIGC does physical walk-throughs and focuses on the social-engineering aspect of cyber crime, the kind that laid MGM Resorts International low last year.

“People are the weakest link, in many instances,” Cotton said, elaborating that the salient aspect of his job was establishing trust. “We just try to be a person who’s talking to engage you, to try to get to areas that we should, and get folks to kind of acquiesce to what we want.”

As for the challenges that tribal gaming operators currently face in securing both their internal and external systems, Cotton zeroed in on the smaller tribes. With them, he said, it is more about network security and implementing modernization. “As we continue to go around the country and look at audits, some of the ways they could be better include definitely segmenting their networks as best as possible, to defend against those ransomware attacks.”

Cotton’s job wasn’t made any easier during the pandemic. Between 2019 and 2024, cyberattacks in Indian Country leapt 1,000 percent. Now, “the number’s much lower,” he reported. “During that time of 1,000 percent, we were right at COVID, so there were opportunities for threat actors to be milling around,” the regulator continued. “That’s why we saw that spike.”

However, Cotton didn’t agree with the assessment of TribalHub CEO Mike Day, who said of casinos, “They haven’t done the best job of getting prepared for this stuff.”

“He’s maybe getting some information that I’m not familiar with,” Cotton responded. “But what I’m seeing is that tribes are doing everything they can to put themselves in a position where they’re not being attacked, like any other industry.”

Are tribal casinos particularly soft targets, explaining the spike? “Almost anybody now can be a soft target,” answered Cotton. “If there’s an opportunity for a threat actor to see themselves as trying to obstruct, they’re going to utilize that.”

For his part, Cotton related has watched tribes trying to reach a better status quo, particularly in terms of how their IT infrastructure is set up and run. However, he noted, the situation continues to morph, “because there’s no inhibition on technology. We want the technology to continue to assist where it can, but we also want you to have those protection measures in place.”

In the past, Cotton has said that Indiana Country has a go-slow approach to digital technology, “so we don’t wind up in the headlines.” He strove to explain the apparent disconnect between that remark and tribal casinos’ reputation for being first movers in new technology. “That statement was made because of my travel across this country. Your more advanced resource-driven tribal entities are in a position to stay ahead of the curve.”

Where the NIGC wants to put its focus, he added, is on small-sized and mid-sized casino operations. “That’s where the slowness comes from,” Cotton explained. “In a smaller operation, there’s one person that may be actually running everything.”

Cyber assailants, he continued, don’t fit any particular profile. “They could be mom-and-pop persons and teenagers sitting at home, all the way up to sophisticated organizations.”

That raised the issue of whether tribes were dealing with the best technology vendors available. “That’s a good question,” Cotton responded, saying the entire point of the NIGC was “to ensure that those vendor relationships are of a reputable nature and that’s what we will always push. Tribes sometimes, because they’re sovereign nations, may have the opportunity to use who they want.” However, the salient aspect of regulation is to make sure that tribes are working with the best and that is what the NIGC emphasizes.

Back in 2021, Cotton remarked that he didn’t see an end to cyberattacks on casinos. He doesn’t feel so quite so strongly today.

“There may not be an end to the ransomware attacks,” he said. “They’re going to continue.” But the ounce of prevention may be gaining on the pound of cure. “The most important thing to come out of that [crime spree] is our tribes are now more ahead of the curve, ahead of the technology as best as possible and also trying to protect those tribal assets as best they know how.”